In a basic form, an enterprise comprises users on client end stations (e.g., a computer, mobile device, or tablet) accessing enterprise resources. These enterprise resources may be presented to the user in the form of one or more enterprise applications coupled to enterprise data. For example, one example of an enterprise application may be a customer relationship management (CRM) application used by the enterprise to track interactions with customers of that enterprise. The enterprise data for the CRM application, likely in the form of a database, would include the stored customer interactions and other data necessary for the application to run.
In some cases, access requests to these enterprise resources may be suspicious. A suspicious access may turn out to be an attack (e.g., an intrusion) into the network. Such an attack may be a result of an attacker taking advantage of a compromised insider, or may be a result of a malicious insider or a negligent insider (the latter two being authorized users of the enterprise). In the case of a compromised insider, an attacker from outside the enterprise (e.g., an unknown attacker) may: 1) access information (e.g., credentials) from a compromised client end station phishing email, social engineering etc., that can be used from the attacker's client end station to access enterprise resources (e.g. gaining access to the enterprise network via a virtual private network (VPN) connection); 2) take control of a compromised end station within the enterprise network to access enterprise resources; 3) or install software on the compromised end station to access enterprise resources. A malicious insider or negligent insider may be able to directly use a client end station within the enterprise to access the enterprise resources. Since each of three above types of attacks involves an insider, the detection of activity indicative of one of the above types of attacks is referred to as the detection of an “insider threat.”
These attacks can lead to great losses and damages to the enterprise if they are not detected and managed. As more companies evolve highly connected enterprise network infrastructures, the danger of unauthorized data access and theft increases, and the fallout from such access is grave. However, current technologies do not adequately allow the enterprise to manage and determine the risk from suspicious accesses, and so in many cases suspicious activity on the network is unchecked and not properly monitored. Thus, there is a desire to have an improved method of monitoring and managing suspicious data access activity against enterprise resources.